cbcvebase.
CVE-2023-36934
published 2023-07-05

CVE-2023-36934: In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a…

PriorityP191critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
94.84%
99.8th percentile
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

Affected

6 ranges
VendorProductVersion rangeFixed in
progressmoveit_transfer< 12.1.1112.1.11
progressmoveit_transfer>= 13.0.0 < 13.0.913.0.9
progressmoveit_transfer>= 13.1.0 < 13.1.713.1.7
progressmoveit_transfer>= 14.0.0 < 14.0.714.0.7
progressmoveit_transfer>= 14.1.0 < 14.1.814.1.8
progressmoveit_transfer>= 15.0.0 < 15.0.415.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/human.aspx
path/human.aspx
path/machine.aspx
path/api/v1/auth/token
otherhttp.favicon.hash:989289239
othericon_hash=989289239
commandINSERT INTO activesessions (SessionID) values ('<session>');UPDATE activesessions SET Username=(select Username from users order by permission desc limit 1) WHERE SessionID='<session>'
cookiesiLockLongTermInstID=0
  • Exploit targets /human.aspx endpoint with SQL injection payload in the Username query parameter, injecting into the activesessions table to forge an authenticated session.
  • Exploit chain uses four sequential HTTP requests: POST to /human.aspx (SQLi), POST to /human.aspx?ep= (pass change), POST to /machine.aspx (session), POST to /api/v1/auth/token (token retrieval). Successful exploitation returns access_token, refresh_token, token_type, and expires_in in the response body.
  • Attacker sets LastTouch to a far-future date (2099-06-10) in the activesessions table to keep the forged session alive.
  • Token request to /api/v1/auth/token uses grant_type=session with arbitrary username/password, relying on the previously injected session cookie for authentication bypass.
  • GreyNoise observed low-volume exploitation attempts against CVE-2023-36934 on June 12, 2025, during a period of heightened MOVEit Transfer scanning. Monitor for scanning IPs concentrated in Tencent Cloud ASN 132203.
  • 303 IPs (44%) of MOVEit Transfer scanners originate from Tencent Cloud ASN 132203; other sources include Cloudflare (113 IPs), Amazon (94), and Google (34). Elevated scanning (200–300 unique IPs/day) began May 27, 2025.
  • Content-Type for exploit requests is application/x-www-form-urlencoded; the initial signon transaction body is 'transaction=signon'.
  • ·The SQL injection payload selects the highest-privileged user from the users table (ORDER BY permission DESC LIMIT 1) to impersonate, meaning the forged session will have the permissions of the most privileged account in the database.
  • ·Vulnerability is unauthenticated — no prior credentials or session are required to trigger the SQL injection via the MOVEit Transfer web application endpoint.
  • ·Affected versions span a wide range: before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). Ensure all branches are patched.
  • ·EPSS score of 0.91212 (99.652nd percentile) indicates very high probability of exploitation in the wild; treat as high-priority patching target.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.